Stray private network traffic from LAN side


#1

I have a Balance One set up for DHCP/NAT using 192.168… subnet. Some clients put traffic on the LAN destined for 172.16… or 10.0… - Will these by default get ignored / dropped with respect to the WAN by the Balance One, or do I need Firewall Access Rules to deny WAN access to these packets? (I would expect them to be, by default, blocked from being passed to the WAN side.)

Same question for other reserved IPv4 address ranges like Link Local, Multicast, and Limited Broadcast?

Also, what does the Balance router do with packets that originate from source IP addresses that are not within the IP address block defined for the router LAN? (I would expect them to be ignored / dropped.)

Is the Balance router behavior for reserved ranges documented somewhere?


#2

Any traffic destined for a private subnet range that is not present on the LAN of the balance will by default be forwarded to the WAN interface for onwards progression (unless an alternative route exists for that subnet - ie a static route or one learned over PepVPN via OSPF, or firewall rules have been added to block that traffic).

Those reserved address ranges for the local LAN subnet are blocked.from WAN transport as that is a typical approach (so broadcast traffic on the LAN does not pass through to the WAN).

Packets from a source IP range that is different to the subnet(s) present on the Balance LAN - if routed correctly to the Balance LAN IP address, would be forwarded to the WAN.


#3

Thank you for the explanation. After some thought, I see why it would be this way by default.

I don’t see a reason to allow WAN access from any unknown devices outside my DHCP range, and I don’t want any packets to private or reserved destination addresses to make it to the WAN. So I assume it’s typical then (or at least no harm and potentially some benefit) in a simple topography (WAN is the public internet; no private subnets on the WAN side) to create Outbound Firewall Rules to block stray traffic from unidentified LAN IP ranges, and also to block stray traffic to private or reserved IP ranges?

For example, with a router LAN/DHCP range of 192.168.0.0/20:

Will denying my own LAN private range as a destination break traffic within the router’s LAN?


#4

Only if those rules are in the ‘Internal Network Firewall Rules’ section.


#5

I don’t have the fourth rule above enabled, and I fixed the self-assigned range, but the odd thing is I do get entries like:

Denied CONN=lan MAC=... SRC=192.168... DST=169.254...

in my logs, even though no 'Internal Network Firewall Rules are defined. Why would Outbound Firewall Rules affect “CONN=lan” traffic?


#6

I found the same behavior and was told that engineering was aware of it and looking towards a fix.

I did find a way to fix it, but it was kind of hokey. I created a vlan for the 169.254.x.x traffic and then changed all of my port types to be a trunk that did NOT allow the newly created vlan. This causes all the traffic from 169.254 to be dropped at the switch (rather than the gateway) since it is not tagged properly.

Lemme guess – DirecTV DVR? If so, they add this link-local address to prevent loops in the network since the network connection is actually shared through the DVR. If you have a second DVR that is ALSO connected to the same network – the 169.254 addresses allow the two devices to see one another and change up their sharing setup. Instead of the second DVR getting it’s internet access through the first DVR, it goes directly to the internet.

hope this helps. Most of the time, the ISP will drop those packets since they don’t match the net mask. This assumes that the ISP does not have a private network using 169.254 schemes. I would hope that they don’t, but I wouldn’t put it past them. This range is the default no-config network setup. i.e. if there is no DHCP, devices on the same layer 2 can still talk.


#7

Thanks. It’s not DirecTV, but it is a consumer A/V box, probably looking for some peers of its brand. I don’t allow any traffic from DirecTV boxes :wink: